HOME

TheInfoList



Click Here for Items Related To - Web Messaging
OR:
Web Messaging on:   [Wikipedia]   [Google]   [Amazon]

Web Messaging or cross-document messaging, is an API introduced in the
WHATWG The Web Hypertext Application Technology Working Group (WHATWG) is a community of people interested in evolving HTML and related technologies. The WHATWG was founded by individuals from Apple Inc., the Mozilla Foundation and Opera Software, l ...
HTML5 HTML5 is a markup language used for structuring and presenting content on the World Wide Web. It is the fifth and final major HTML version that is a World Wide Web Consortium (W3C) recommendation. The current specification is known as the HTML ...
draft specification, allowing documents to communicate with one another across different origins, or source domains while rendered in a
web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...
. Prior to HTML5, web browsers disallowed
cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability m ...
, to protect against security attacks. This practice barred communication between non-hostile pages as well, making document interaction of any kind difficult. Cross-document messaging allows scripts to interact across these boundaries, while providing a rudimentary level of security.


Requirements and attributes

Using the Messaging API's postMessage method, plain text messages can be sent from one domain to another, e.g. from a parent document to an IFRAME. This requires that the author first obtain the Window object of the receiving document. As a result, messages can be posted to the following: * other frames or iframes within the sender document's window * windows the sender document explicitly opens through JavaScript calls * the parent window of the sender document * the window which opened the sender document The message event being received has the following attributes: * data - The data, or actual content, of the incoming message. * origin - The origin of the sender document. This typically includes the scheme, hostname and port. It does not include the path or fragment identifier. * source - the WindowProxy of where the document came from (the source window). postMessage is not a blocking call; messages are processed asynchronously.


Example

Consider we want document A loaded from example.net to communicate with document B loaded from example.com into an iframe or popup window. The
JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...
for document A will look as follows: var o = document.getElementsByTagName('iframe') o.contentWindow.postMessage('Hello B', 'http://example.com/'); The origin of our contentWindow object is passed to postMessage. It must match the origin of the document we wish to communicate with (in this case, document B). Otherwise, a security error will be thrown and the script will stop. The JavaScript for document B will look as follows: function receiver(event) window.addEventListener('message', receiver, false); An event listener is set up to receive messages from document A. Using the origin property, it then checks that the domain of the sender is the expected domain. Document B then looks at the message, either displaying it to the user, or responding in turn with a message of its own for document A.


Security

Poor origin checking can pose a risk for applications which employ cross-document messaging. To safeguard against malicious code from foreign domains, authors should check the origin attribute to ensure messages are accepted from domains they expect to receive messages from. The format of incoming data should also be checked that it matches the expected format.


Support

Support for cross-document messaging exists in current versions of
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical web browsers developed by Microsoft which was used in the Windows line of operating systems (in ...
,
Mozilla Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current an ...
,
Safari A safari (; ) is an overland journey to observe wild animals, especially in eastern or southern Africa. The so-called "Big Five" game animals of Africa – lion, leopard, rhinoceros, elephant, and Cape buffalo – particularly form an impor ...
,
Google Chrome Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, ...
,
Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a libr ...
, Opera Mini, Opera Mobile, and Android web browser. Support for the API exists in the
Trident A trident is a three- pronged spear. It is used for spear fishing and historically as a polearm. The trident is the weapon of Poseidon, or Neptune, the God of the Sea in classical mythology. The trident may occasionally be held by other mar ...
,
Gecko Geckos are small, mostly carnivorous lizards that have a wide distribution, found on every continent except Antarctica. Belonging to the infraorder Gekkota, geckos are found in warm climates throughout the world. They range from . Geckos a ...
,
WebKit WebKit is a browser engine developed by Apple and primarily used in its Safari web browser, as well as on the iOS and iPadOS version of any web browser. WebKit is also used by the BlackBerry Browser, PlayStation consoles beginning from the ...
and Presto layout engines.


See also

*
Cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability m ...
*
Cross-site request forgery Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced ''sea-surf'') or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submit ...
* Same origin policy *
Cross-origin resource sharing Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, ...
*
JSONP JSONP, or JSON-P (JSON with Padding), is a historical JavaScript technique for requesting data by loading a element, which is an element intended to load ordinary JavaScript. It was proposed by Bob Ippolito in 2005. JSONP enables sharing of data b ...


References


External links


HTML5 Web Messaging recommendation

HTML5 Web Messaging specification
* * * * * {{Web interfaces HTML Application programming interfaces